On September 7, 2017, as Hurricane Irma overwhelmed several islands in the Caribbean and approached the continental United States, the Department of Health and Human Service’s Office for Civil Rights (OCR) issued its second bulletin in as many weeks addressing how HIPAA applies in emergency situations.

In that bulletin, OCR reminds HIPAA covered entities and business associates that the HIPAA Security Rule requires them to follow strategies to protect electronic protected health information (ePHI) during emergencies so that ePHI can be accessed both during and after the emergency situation. The Security Rule requires covered entities and business associates to create and maintain a contingency plan that can be implemented in the event of an emergency or natural disaster where information systems containing ePHI may be damaged. The contingency plan must include:

  • a data backup plan (procedures to create and maintain retrievable copies of ePHI);
  • a disaster recovery plan (procedures to restore any loss of data); and
  • an emergency mode operational plan (procedures to ensure that while the entity is operating in emergency mode, critical business processes that protect the security of ePHI can continue).

Covered entities and business associates also should periodically test and revise their contingency plans and determine which applications and data are most critical to support contingency plan operations.

The September 7 bulletin also reminds covered entities and business associates to review HHS’s interactive Emergency Preparedness Decision Tool, available here. This tool can assist emergency preparedness and recovery workers in accessing and using PHI consistent with the HIPAA Privacy Rule.

In an August 30 bulletin, OCR announced that HHS Secretary Tom Price had declared public health emergencies in Texas and Louisiana in the aftermath of Hurricane Harvey. Pursuant to these declarations, Secretary Price determined to waive sanctions against hospitals in those states for failing to comply with the following provisions of the HIPAA Privacy Rule:

  • the requirement to obtain a patient’s agreement to speak with family members or friends involved in the patient’s care;
  • the requirement to honor a request to opt out of the facility directory;
  • the requirement to distribute a notice of privacy practices;
  • the patient’s right to request privacy restrictions; and
  • the patient’s right to request confidential communications.

The bulletin explains that the Secretary’s waiver is limited to the area and the time period identified in the emergency declaration, and to hospitals that have instituted a disaster protocol for up to 72 hours from institution of the disaster protocol.